Hey Folks,
I am really close to release our Elgg environment to my team at work. I am having a hard time gettings ldap authentication to work. I've tried the ldap_auth plugin from the plugin download site as well as the SVN version (trunk).
I've verified my settings as well as using an LDAP brownser to make sure all my settings are correct. The problem is, when a user who is in Active Directory tries to log in, it just returns back to the login screen. If I try to sign in as user NOT in AD, an error shows up saying "no account exists" or something along those lines.
If I look in my http error_log, I see this:
[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] PHP WARNING: 2010-10-29 12:55:22 (EDT): "ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: No such object" in file /var/www/vhosts/xxx.xxx.xxx.xxx/httpdocs/mod/ldap_auth/start.php (line 258), referer: http://xxx.xxx.xxx.xxx/
[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] Unable to perform LDAP search: No such object, referer: http://xxx.xxx.xxx.xxx/
[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/vhosts/xxx.xxx.xxx.xxx/httpdocs/, referer: http://xxx.xxx.xxx.xxx/
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
We're using the svn ldap_auth plugin with some additional error checking added in. The current one is a little light in that area. I'd guess basedn problem.
I'll see what I can do about committing some of our additions back to the svn repository.
Thanks, Cash.
I realized over the weekend I might have left out some important info:
I finished the integration of our error checking into the original plugin. It is the 1.7 branch of the svn repository: plugins/branches/1.7/ldap_auth
The labels on the fields can be confusing - at least they were to me. If you are doing an anonymous bind, leave the "LDAP bind DN" blank. We're not doing anonymous and so had to enter the bind account username. Initially, I misunderstood that and was was putting our base DN there.
Hi guys,
Iam trying to add ldap_auth to elgg 1.7.4.
Is this supposed to work?
settings are saved without issuing error (should it show thru error if settings wrong?)
when i try to login, it doesnt work as expected.
I dont use TLS, i do use ldap v3.
Also, assuming that this is configured right, can we use this hostname for ldap to be localhost if elgg server and ldap server are one and the same?
This is the log output I get:
"ldap_bind(): Unable to bind to server: Invalid credentials" in file /-------/mod/ldap_auth/start.php (line 199), referer: https://secure-----/
LDAP: Unable to bind to the LDAP server with provided credentials: Invalid credentials, referer: https://secure------/
LDAP error: unable to connect to the LDAP server, referer: https://secure------/
I have couple of web portals using the same LDAPs. So I am pretty sure the settings are Ok if it is used as given in example.
Btw, I did notice that if the hostname is changed to something that doesnt exist, it doesn't get anywhere. So definitely something is happening!. Please Help me
Also, i am using the latest from svn. Why doesnt the latest version doesnt have TLS enable/ disable settings? Is it hard coded to enabled? may be that is it?
and
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Apr 23 2008 23:35:28)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with eAccelerator v0.9.6, Copyright (c) 2004-2010 eAccelerator, by eAccelerator
@nA looks like you have the wrong bind information for your ldap setup
Hi Cash, thanks for the quick reply.
This how I made sure that I use the correct settings:
1. used the same hostname/ ip address, port(389) and base DN in Jexplorer
2. used the security user DN in Jexplorer as the LDAP bind DN. same password for sure!
3. No spaces or quotes used (just as used in Jexplorer). Both elgg and jexplorer from the same PC
4. Able to connect and get details using Jexplorer without issues.
Probably becos:
1. Am using httpS, would this be an issue? shouldn't be, but just bringing out all possible obstacles
2. No TLS used in mine, could this be an issue?
3. The order in which this plugin shud be placed?
4. Any prerequisites missing?
5. any port extra needed by elgg for this authentication, blocked by firewall? definitely ldap service/port is allowed (as Jexplorer from the same PC works fine!)
Any other log to check for/ to pickup any other hints?
Thanks, nAni
also, which version of ldap_auth shud i use? the one which is in the svn(abt 2wks old) or the one that is released in the elgg community?
- Previous
- 1
- 2
- 3
- Next
You must log in to post replies.